Given the popularity of e-mail, two serious threats to it have surfaced over the years: spamming and phishing. And whether you like it or not, they will soon be attacking your inbox.

Spamming refers to the act of sending out unsolicited commercial messages through such forms of electronic communication as instant messaging, e-mail, and even mobile phone calls. Phishing, on the other hand, is the sending of e-mail that attempts to trick the recipient into sharing credit card information and passwords by unknowingly providing links to fraudulent websites.

PROBLEM GETTING WORSE

The problem from these twin threats is getting worse.

According to Postini, a US-based e-mail management company that gathers statistics from its users, one day alone can yield as many as 400 million spam messages. Indeed, spammers and phishers thrive on big numbers, and the more e-mail they send, the greater the chances of their duping someone into buying something worthless or nonexistent or giving sensitive information.

Based on the information that Postini shares on its website, the volume of spam continues to increase month after month. The cross-industry consortium Anti-Phishing Working Group (APWG), on the other hand, reports that spam activity becomes even more widespread during the holiday season. In fact, the group’s November 2006 trends report showed that there were over 37,439 distinct sites on the Web engaged in phishing.

Because of the sheer volume of spam, the amount of productive time it takes to combat it is taking its toll on companies. More and more, employees are spending a great deal of time deleting and processing messages—time that could be used for more productive pursuits.

Phishing can also seriously compromise an organization’s IT capability because the activity consumes network resources, exposes computers to malicious websites, and needlessly takes up valuable storage space. And when phishing entities manage to get hold of passwords and sensitive information, the financial and logistics implications to the organization will be even worse and much more costly.

RESILIENT THREATS

Their resiliency is a key characteristic of spamming and phishing. They have engaged data-security companies in a wild goose chase through the years and have become even wilier in their techniques to evade anti-spam and anti-phishing software. They began as simple junk e-mail messages containing readable text and links to websites, but spam and phishing have now evolved into garbled messages showing no coherence or into text rendered in image files that enter your mailbox by stealth.

You have to ensure that your e-mail address is adequately protected because it’s all that spammers and phishers need to attack. They use a program called spam bots to harvest all the e-mail addresses they can find online. For example, if a user posts an e-mail address in the usual “user@domainname.com” format on a website or forum, the spam bot will automatically recognize and capture it into its database.

Based on a test run by the Center for Democracy and Technology, over 97 percent of spam being delivered involves e-mail addresses published on a website. Thus, if you absolutely need to share your e-mail address through the Web, you may need to employ different techniques of communicating your e-mail address so you can evade the spam harvesters. For instance, some people mask e-mail addresses under the “user [at] domainname [dot] com” format or use free tools like the e-mail icon generator at http://services.nexodyne.com/email/index.php, which saves your e-mail address as an image that make it possible for you to share it on websites, forums, etc.

HOW TO FIGHT SPAM

To combat unsolicited e-mail even more effectively, you may consider setting up an alternative e-mail account that can serve as a filtering layer for all messages. Free e-mail providers like Gmail offer forwarding services that you can use to have your mail delivered to your main inbox. Since these e-mail providers have excellent spam blocking software, they also greatly minimize the chances of your mailbox getting spam.

In the event that even your alternative e-mail address gets deluged with spam, you can simply get rid of it and create a new one. This is a particularly useful strategy for people who need to sign up with certain websites but don’t wish to give the detailed information provided in their main e-mail account.

Some phishing attacks can be avoided at the e-mail level. A good precaution is to first go over the acceptance policies of websites and check if they have a list of authorized e-mail addresses. Most of the time, if not all the time, these providers will never ask for your password since they have other safe means of accessing your account like administrator access. Now, if you find yourself in a situation where you have already accessed a link from a phishing e-mail, always double-check if the Web address matches the same domain as the e-mail sent to you. If not, it can be a sign that what you have received a phishing e-mail. Phishers are known to set up dummy pages on other people’s websites.

Some websites also employ SSL technology to encrypt data like passwords over the Internet, which is the same technology used as the de facto standard for online banking. Thus, if you don’t see an “https://” prefix on the Web address or a padlock icon in one of the corners of your browser, there’s a possibility that there is a phishing attempt on your computer.

According to security firm Trend Micro’s 2006 Threat Roundup, among the top 10 websites attacked by phishers are EBay, Paypal, and several financial institutions. Phishers can penetrate even the more sophisticated security systems of these companies because of the more technologically advanced phishing techniques they have developed recently. Among such techniques is address bar spoofing, which means that they can actually make it appear that the Web address you are visiting is legitimate. The risk from this new phishing technology, though, can be mitigated by upgrading to a new Web browser like Firefox.

At any rate, even if the preventive measures that we take now may not be effective against the next generation of intrusive e-mail, it would be wise to be prudent and always vigilant in dealing with spam and phising. To avoid—if not completely minimize—problems with them, we must learn how to recognize them and to delete them from our mailboxes at once.

And as a matter of procedure, be always suspicious of anything offered through e-mail or on the Web that’s simply too good to be true. Chances are, its spam or you are about to be phished.